Transcript Chapter 11

FIREWALLS & NETWORK SECURITY with
Intrusion Detection and VPNs, 2nd ed.
11
Setting Up a Virtual
Private Network
By Whitman, Mattord, & Austin
© 2008 Course Technology
Learning Objectives
 Explain the components and essential operations
of virtual private networks (VPNs)
 Describe the different types of VPNs
 Create VPN setups, such as mesh or hub-andspoke configurations
 Choose the right tunneling protocol for your VPN
 Enable secure remote access for individual users
via a VPN
 Recommend best practices for effective
configuration and maintenance of VPNs
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 2
Introduction
 Organizations routinely join LANs to facilitate
secure point-to-point communications
 Private leased lines don’t scale well, utilize
complex technology, and are expensive
 VPNs function like private leased lines
– Encapsulate and encrypt data being transmitted
– Use authentication to ensure only approved
users gain access
 VPNs provide secure point-to-point
communications over public Internet
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 3
VPN Components and Operations
 VPNs can be set up with special hardware or
with firewall software that includes VPN
functionality
 Many firewalls have VPN systems built in
 Correctly set up VPN can be a critical
component in an organization’s perimeter
security configuration
 Goal of VPNs is to provide a cost-effective and
secure way to connect business locations to
one another and remote workers to office
networks
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 4
VPN Components
 VPNs consist of two types of components:
– Hardware devices
– Software that performs security-related activities
 VPN tunnels have two endpoints or terminators
 Endpoints:
– Hardware devices or software modules
– Encrypt data to secure information
– Authenticate to ensure host requesting data is an
approved user
– Encapsulate data to protect integrity of
information being sent
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 5
VPN Components (continued)
 VPN connection occurs within TCP/IP tunnel
 Tunnel: channel or pathway of networks used
by VPN that runs through the Internet from one
endpoint to another
 “Tunnel” can be misleading as it implies:
– There is a single cable joining endpoints
– Only approved VPN users can utilize that cable
 In reality, VPN “tunnel” is virtual
 Using the Internet keeps costs down and
simplifies setup of VPN but can also add
uncertainty to communications
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 6
VPN Components (continued)
 Endpoint devices can be one of the following:
– A server running a tunneling protocol
– A VPN appliance (a special hardware device
devoted to setting up VPN communications)
– A firewall/VPN combination
– A router-based VPN (routers that support IPSec
can be set up on perimeter of connected LANs)
 VPN scenario may also include:
– Certificate servers: manage certificates
– Client computers: run VPN client software,
allowing remote users LAN access over the VPN
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 7
Essential Activities of VPNs
 Information transferred via VPN travels over the
Internet and must be well protected
 Essential activities that protect data are:
– IP encapsulation
– Data payload encryption
– Encrypted authentication
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 8
IP Encapsulation
 Used to protect VPN data packets
 Process of enclosing one packet within another
packet that has different IP source and
destination information
 Hides source and destination information of
encapsulated packets
 IP addresses of encapsulated packets can be in
the private reserved blocks that are not usually
routable over the Internet
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 9
Data Payload Encryption
 VPNs can be configured to fully or partially
encrypt data portion of packets
 Encryption accomplished in one of two ways:
– Transport method: host encrypts traffic when it is
generated; data is encrypted, but not headers
– Tunnel method: traffic encrypted and decrypted
in transit; both header and data portions of
packets are encrypted
 Level of encryption varies
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 10
Encrypted Authentication
 Encryption domain: everything in the protected
network and behind the gateway
 Authentication essential; VPN communication
recipients must know sender is approved user
 Hosts authenticated by exchanging keys
 Two types of keys:
– Symmetric keys: keys are the same; hosts
exchange same secret key to verify identities
– Asymmetric keys: participants have private key
and public key; public keys exchanged; public
key used to encrypt; decrypt using private key
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 11
Benefits and Drawbacks of VPNs
 Benefits:
– Secure networking without costly leased lines
– Encryption/translation handled by dedicated
systems, reducing production machine workload
– Allows control of physical setup
 Drawbacks:
– Complex and, if configured improperly, can
create significant network vulnerabilities
– Uses unpredictable and often unreliable Internet
– Some vendor solutions have more documented
security issues than others
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 12
VPNs Extend Network Boundaries
 VPN connections that are “always on” extend
your network to locations out of your control
 Some suggestions for dealing with increased
risk presented by these connections:
– Use of two or more authentication tools to
identify remote users
– Integrate virus protection
– Use Network Access Control (NAC)
– Set usage limits
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 13
Types of VPNs
 In general, you can set up two types of VPN:
– Site-to-site: links two or more networks
– Client-to-site: makes a network accessible to
remote users who need dial-in access
 These two VPN types are not mutually exclusive
 Options for configuring VPNs:
– Hardware systems
– Software systems
– Hybrids
 VPNs need to be able to work with any number
of different operating systems or computer types
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 14
VPN Appliances
 Hardware device specially designed to
terminate VPNs and join multiple LANs
 Can permit connections between large numbers
of users or multiple networks
 Don’t provide other services such as file sharing
and printing
 Some examples include the SonicWALL series
and the Symantec Firewall/VPN appliance
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 15
Software VPN Systems
 Generally less expensive than hardware
systems
 Tend to scale better on fast-growing networks
 Some examples include F-Secure VPN+ and
Novell’s BorderManager VPN services
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 16
VPN Combinations of Hardware and
Software
 VPN systems may implement VPN appliance at
the central network and use client software at
remote end of each VPN connection
 Most VPN concentrator appliances are capable
of operating in one of two modes:
– Client mode: concentrator acts as software client,
enabling users to connect to other remote
networks via VPN
– Network extension mode: concentrator acts as
hardware device enabling secure site-to-site
VPN connection
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 17
Combination VPNs
 VPN system that is “mixed” uses hardware and
software from different vendors
 Challenge: get all pieces of the system to
communicate with one another successfully
 Solution: pick a standard security protocol that
is widely used and supported by all devices,
such as IPSec
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 18
VPN Setups
 With two participants in a VPN, configuration is
relatively straightforward in terms of:
– Expense
– Technical difficulty
– Time involved
 When three or more networks/individuals are
connected, several configuration options exist:
– Mesh
– Hub-and-spoke
– Hybrid
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 19
Mesh Configuration
 Each participant (network, router, or computer)
in the VPN has an approved relationship, called
a security association (SA), with every other
participant
 During VPN configuration, each participant must
be specifically identified to every other
participant using the VPN
 Before initiating connection, each VPN
terminator checks its routing table or SA table to
confirm the other participant has an SA with it
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 20
Mesh VPN
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 21
Hub-and-Spoke Configuration
 A single VPN router contains records of all SAs
in the VPN
 Any LANs or computers participating in VPN
need only connect to central server, not to any
other machines in VPN
 Easy to increase the size of VPN as more
branch offices or computers are added
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 22
Hub-and-Spoke VPN
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 23
Hybrid Configuration
 As organizations grow, mesh or hub-and-spoke
VPN designs commonly evolve into a mixture of
the two
 Mesh configurations tend to be more efficient;
central core linking most important network
branches should be mesh configuration; other
branch offices added as spokes connecting to
VPN router at central office
 Hybrid setup benefits from strengths of each
one—scalability of hub-and-spoke and speed of
mesh
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 24
Configurations and Extranet and
Intranet Access
 Each VPN endpoint represents extension of
corporate network to new location—an extranet
 Same security measures taken to protect
corporate network should be applied to VPN
endpoints (firewalls, anti-virus, etc.)
 VPNs can also be used to give parts of
organization access to other areas through
corporate intranet
 VPN users inside organization should have
usage limits, anti-virus, and firewall protection,
just as outside users should
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 25
Tunneling Protocols Used with VPNs
 In the past, firewalls providing establishment of
VPNs used proprietary protocols
 Such firewalls could only establish connections
with remote LANs using same firewall brand
 Today, widespread acceptance of IPSec
protocol with Internet Key Exchange (IKE)
system means proprietary protocols are used
far less often
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 26
IPSec/IKE
 IPSec provides two security methods:
– Authenticated Header (AH): authenticates
packets
– Encapsulating Security Payload (ESP): encrypts
data portion of packets
 IPSec can work in two different modes:
– Transport mode: provides secure
communications between hosts
– Tunnel mode: used to create secure links
between two private networks
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 27
IPSec/IKE (continued)
 IPSec/IKE VPN connection process:
– 1. Request to establish a connection sent
– 2. Remote host generates random number and
sends to machine that made original request
– 3. Original machine encrypts its pre-shared key
using random number and sends to remote host
– 4. Remote host decrypts key, compares it to its
own pre-shared key or keyring; if key matches,
remote host encrypts public key using pre-shared
key and sends to original machine
– 5. Original machine uses public key to establish
security association (SA) and VPN connection
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 28
PPTP
 Point-to-Point Tunneling Protocol (PPTP)
 Commonly used to connect to a network using a
dial-in modem connection
 Uses Microsoft Point-to-Point Encryption
(MPPE) to encrypt data
 Useful if support for older clients is needed
 Also useful because packets sent can pass
through firewalls that perform Network Address
Translation (NAT)
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 29
L2TP
 Layer 2 Tunneling Protocol (L2TP)
 Extension of Point-to-Point Protocol (PPP)
 Uses IPSec rather than MPPE to encrypt data
 Provides secure authenticated remote access
by separating connection initiation process from
encapsulated data forwarding process
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 30
PPP Over SSL/PPP Over SSH
 Point-to-Point Protocol (PPP) Over Secure
Sockets Layer (SSL) and Point-to-Point Protocol
(PPP) Over Secure Shell (SSH)
– UNIX-based methods for creating VPNs
– Combine existing tunnel system (PPP) with way
of encrypting data in transport (SSL or SSH)
 SSL: public key encryption system used to
provide secure communications over WWW
 SSH: UNIX secure shell; performs secure
authenticated logons and encrypted
communications; requires pre-shared key
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 31
VPN Protocols and Their Uses
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 32
Enabling Remote Access Connections
within VPNs
 To enable remote user to connect to VPN, user
must be issued VPN client software
 User’s computer should be equipped with a
firewall and anti-virus software
 Key may need to be obtained for remote user if
IPSec is used to make VPN connection
 Problems may be encountered finding phone
provider having dial-up numbers in all locations
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 33
Configuring the Server
 If firewall-based VPN is used, client computer
must be identified
 Check Point FireWall-1 calls the process
defining a network object
 Major operating systems incorporate their own
methods of providing secure remote access
 Linux uses IP Masquerade feature
 Windows XP and 2000 include New Connection
Wizard
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 34
Configuring Clients
 Involves installing and configuring VPN client
software or using New Connection Wizard
 FireWall-1 uses SecuRemote that enables
connections to hosts or networks via VPN
 Important issues to consider:
– Will client software work with all client platforms
– Is client workstation itself firewall protected
 Because each VPN connection is potential
opening for viruses and hackers, requirement
that remote hosts be protected with firewalls
should be part of organization’s VPN policy
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 35
VPN Best Practices
 Successful operation of VPN depends not only
on hardware and software components and
overall configuration
 Also depends on a number of best practices
 These include:
– Security policy rules specific to the VPN
– Integration of firewall packet filtering with VPN
traffic
– Auditing VPN to ensure acceptable performance
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 36
The Need for a VPN Policy
 Essential for identifying who can use the VPN
and for ensuring all users know what constitutes
proper use
 Can be a separate stand-alone policy or part of
a larger security policy
 Points to cover include but are not limited to:
–
–
–
–
–
Who is permitted to have VPN access
Whether authentication is to be used and how
Whether split tunneling is permitted
How long users can be connected in one session
Whether virus protection is included
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 37
Packet Filtering and VPNs
 Decision must be made early as to where data
encryption and decryption will be performed in
relation to packet filtering
 Encryption and decryption can occur either
inside or outside the packet-filtering perimeter
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 38
PPTP Filters
 PPTP commonly used when older clients need
to connect to a network through a VPN or when
a tunnel must pass through a firewall that
performs NAT
 For PPTP traffic to pass through a firewall,
packet-filtering rules must permit such
communications
 Incoming PPTP connections on TCP Port 1723
 PPTP packets use Generic Routing
Encapsulating (GRE) packets identified by
protocol identification number ID 47
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 39
L2TP and IPSec Packet-Filtering Rules
 L2TP uses IPSec to encrypt traffic as it passes
through the firewall
 Packet-filtering rules must be set up that cover
IPSec traffic
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 40
Auditing and Testing the VPN
 Each VPN computer client should be tested
 VPN should be checked to ensure component
reliability and acceptable file transfer rates
 If parts of network frequently fail, switch ISPs
 If ISP switch is needed, consider the following:
– How often does network go offline?
– Are there backup servers to keep customers
online if primary server goes down?
– Are there backup power supplies in case of a
power outage?
– How far is the network backbone?
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 41
Chapter Summary
 VPNs:
– Provide secure point-to-point communications
over the public Internet
– Used for e-commerce and telecommuting
– Can be set up with special hardware or with
firewall software that includes VPN functionality
– Are a critical component in an organization’s
perimeter security configuration
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 42
Chapter Summary (continued)
 VPN data travels over public networks and
needs to be well protected
 Essential data protection activities:
– IP encapsulation
– Data payload encryption
– Encrypted authentication
 Two different types of VPN:
– Site-to-site
– Client-to-site
 The two are not necessarily mutually exclusive
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 43
Chapter Summary (continued)
 VPN configurations:
– Mesh configuration: each participant has an
approved relationship with every other participant
– Hub-and-spoke arrangement: single, central VPN
router contains records of all associations; any
other participants connect only to central server
– Hybrid setup: mixture that often evolves from the
other configuration types as organization grows
 Widespread use of IPSec with Internet Key
Exchange (IKE) means proprietary protocols
used far less often
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 44
Chapter Summary (continued)
 IPSec provides two security methods:
– Authenticated Header (AH): authenticates
packets
– Encapsulating Security Payload (ESP): encrypts
the data portion of packets
 Both methods can be used together
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 45
Chapter Summary (continued)
 Point-to-Point Tunneling Protocol (PPTP) used
to connect to network using dial-in modem
 Layer 2 Tunneling Protocol (L2TP) extension of
protocol long used for dial-up connections on
the Internet, Point-to-Point Protocol (PPP)
 Point-to-Point Protocol (PPP) Over Secure
Sockets Layer (SSL) and Point-to-Point Protocol
(PPP) Over Secure Shell (SSH)
– UNIX-based methods for creating VPNs
– Combine existing tunnel system (PPP) with data
encryption in transport (SSL or SSH)
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 46
Chapter Summary (continued)
 To enable remote user to connect to a VPN,
issue that user VPN client software
 Make sure user’s computer has anti-virus
software and a firewall
 May need to obtain key for remote user if using
IPSec to make VPN connection
 VPN best practices include:
– Security policy rules specific to the VPN
– Integration of firewall packet filtering and VPN
traffic
– Auditing VPN to ensure acceptable performance
Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 47